Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reapply "boot: Add MCUBOOT_HW_KEY support for image encryption" with modifications #2022

Merged
merged 2 commits into from
Jul 31, 2024
Merged

Reapply "boot: Add MCUBOOT_HW_KEY support for image encryption" with modifications #2022

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
529f0f2
Reapply "boot: Add MCUBOOT_HW_KEY support for image encryption"
davidvincze Jul 26, 2024
e268fca
bootutil: Move encryption key function to common file
davidvincze Jul 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion boot/bootutil/include/bootutil/enc_key.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
#include <flash_map_backend/flash_map_backend.h>
#include "bootutil/crypto/aes_ctr.h"
#include "bootutil/image.h"
#include "bootutil/sign_key.h"
#include "bootutil/enc_key_public.h"

#ifdef __cplusplus
Expand All @@ -45,7 +46,17 @@ struct enc_key_data {
bootutil_aes_ctr_context aes_ctr;
};

extern const struct bootutil_key bootutil_enc_key;
/**
* Retrieve the private key for image encryption.
*
* @param[out] private_key structure to store the private key and
* its length.
*
* @return 0 on success; nonzero on failure.
*
*/
int boot_enc_retrieve_private_key(struct bootutil_key **private_key);

struct boot_status;

/* Decrypt random, symmetric encryption key */
Expand Down
49 changes: 37 additions & 12 deletions boot/bootutil/src/encrypted.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* SPDX-License-Identifier: Apache-2.0
*
* Copyright (c) 2018-2019 JUUL Labs
* Copyright (c) 2019-2023 Arm Limited
* Copyright (c) 2019-2024 Arm Limited
*/

#include "mcuboot_config/mcuboot_config.h"
Expand Down Expand Up @@ -67,13 +67,13 @@ static int bootutil_constant_time_compare(const uint8_t *a, const uint8_t *b, si

#if defined(MCUBOOT_ENCRYPT_KW)
static int
key_unwrap(const uint8_t *wrapped, uint8_t *enckey)
key_unwrap(const uint8_t *wrapped, uint8_t *enckey, struct bootutil_key *bootutil_enc_key)
{
bootutil_aes_kw_context aes_kw;
int rc;

bootutil_aes_kw_init(&aes_kw);
rc = bootutil_aes_kw_set_unwrap_key(&aes_kw, bootutil_enc_key.key, *bootutil_enc_key.len);
rc = bootutil_aes_kw_set_unwrap_key(&aes_kw, bootutil_enc_key->key, *bootutil_enc_key->len);
if (rc != 0) {
goto done;
}
Expand Down Expand Up @@ -334,7 +334,22 @@ hkdf(uint8_t *ikm, uint16_t ikm_len, uint8_t *info, uint16_t info_len,
bootutil_hmac_sha256_drop(&hmac);
return -1;
}
#endif
#endif /* MCUBOOT_ENCRYPT_EC256 || MCUBOOT_ENCRYPT_X25519 */

#if !defined(MCUBOOT_HW_KEY)
extern const struct bootutil_key bootutil_enc_key;

/*
* Default implementation to retrieve the private encryption key which is
* embedded in the bootloader code (when MCUBOOT_HW_KEY is not defined).
*/
int boot_enc_retrieve_private_key(struct bootutil_key **private_key)
{
*private_key = (struct bootutil_key *)&bootutil_enc_key;

return 0;
}
#endif /* !MCUBOOT_HW_KEY */

int
boot_enc_init(struct enc_key_data *enc_state, uint8_t slot)
Expand Down Expand Up @@ -441,13 +456,23 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
uint8_t counter[BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE];
uint16_t len;
#endif
struct bootutil_key *bootutil_enc_key = NULL;
int rc = -1;

rc = boot_enc_retrieve_private_key(&bootutil_enc_key);
if (rc) {
return rc;
}

if (bootutil_enc_key == NULL) {
return rc;
}

#if defined(MCUBOOT_ENCRYPT_RSA)

bootutil_rsa_init(&rsa);
cp = (uint8_t *)bootutil_enc_key.key;
cpend = cp + *bootutil_enc_key.len;
cp = (uint8_t *)bootutil_enc_key->key;
cpend = cp + *bootutil_enc_key->len;

/* The enckey is encrypted through RSA so for decryption we need the private key */
rc = bootutil_rsa_parse_private_key(&rsa, &cp, cpend);
Expand All @@ -466,15 +491,15 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)

#if defined(MCUBOOT_ENCRYPT_KW)

assert(*bootutil_enc_key.len == BOOT_ENC_KEY_SIZE);
rc = key_unwrap(buf, enckey);
assert(*bootutil_enc_key->len == BOOT_ENC_KEY_SIZE);
rc = key_unwrap(buf, enckey, bootutil_enc_key);

#endif /* defined(MCUBOOT_ENCRYPT_KW) */

#if defined(MCUBOOT_ENCRYPT_EC256)

cp = (uint8_t *)bootutil_enc_key.key;
cpend = cp + *bootutil_enc_key.len;
cp = (uint8_t *)bootutil_enc_key->key;
cpend = cp + *bootutil_enc_key->len;

/*
* Load the stored EC256 decryption private key
Expand All @@ -500,8 +525,8 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)

#if defined(MCUBOOT_ENCRYPT_X25519)

cp = (uint8_t *)bootutil_enc_key.key;
cpend = cp + *bootutil_enc_key.len;
cp = (uint8_t *)bootutil_enc_key->key;
cpend = cp + *bootutil_enc_key->len;

/*
* Load the stored X25519 decryption private key
Expand Down
Loading